Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Grsecurity/Pax installation on Debian GNU/Linux

Share your HowTo, Documentation, Tips and Tricks. Not for support questions!.
Message
Author
timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#21 Post by timbgo »

Here are the packages:
EDIT START:
just gave this page a much better look and lots more explaning:
http://croatiafidelis.hr/gnu/deb/linux- ... sec140219/
Thu Feb 20 02:36:32 GMT 2014
Skim fast through the rest of this post, not really needed, rather read the above page, it's more complete!
EDIT END

Since only one is hefty... pasting the list:

README.txt
README.txt.sig
linux-firmware-image-3.13.3-grsec140219-03_3.13.3-grsec140219-03-1_amd64.deb
linux-headers-3.13.3-grsec140219-03_3.13.3-grsec140219-03-1_amd64.deb
linux-image-3.13.3-grsec140219-03-dbg_3.13.3-grsec140219-03-1_amd64.deb
linux-image-3.13.3-grsec140219-03_3.13.3-grsec140219-03-1_amd64.deb
linux-libc-dev_3.13.3-grsec140219-03-1_amd64.deb

...it is only this one that is some 330MB:
linux-image-3.13.3-grsec140219-03-dbg_3.13.3-grsec140219-03-1_amd64.deb

Pls. let me know if verification fails. If that happen to be the case, post here A.S.A.P.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#22 Post by timbgo »

Here's the current script, for those who might want to try compiling (best! ... and the hardest for newbies...).
Here:

Code: Select all

#!/bin/bash
#
# This is grsec_debian_v3.13.6.sh
#
# copyright  Miroslav Rovis, Zagreb, Croatia, www.CroatiaFidelis.hr
# (the above needs to be cited if the script is modified/further developed,
# even if my NGO Croatia Fidelis were to be shut down by my country's regime,
# as well as if the script is used as basis for later kernel versions
# patching and compilations)
#
# licenced under GNU v3.0 or later, at your choice
#
# How to use this script?
# =======================
# In case of issues, the user needs to consult official Debian documentation,
# such as Debian Kernel Handbook, as well as Grsecurity documentation, and
# other documentation and manuals, wikis and forums.
# 'chmod 755 grsec_debian_v3.13.6.sh' once you downloaded this script, place
# it, best, in your homedir, and follow instructions as you run it. If you
# encounter problems, modify for your needs. Also, pls. report errors on Debian
# Forums where I made the Tips page:
# "Grsecurity/Pax installation on Debian GNU Linux"
# but pls. if you will be waiting for my replies, it could take days and longer
# sometimes. Thank you!
#
echo
echo "  Caveat emptor! " 
echo
echo "  Do not use this script if you do not understand  " 
echo " what you are doing. You are responsible if anything "
echo " breaks in your system (possible!) "
echo
echo " OTOH, maybe you could open it in another terminal for "
echo " perusing each next step before hitting Enter to run "
echo " that next step, one by one in this terminal."
echo " Of course you should be checking yourself how the script is"
echo " faring, are the commands doing the intended and all."
echo " This is GNU Linux after all."
echo
echo "The script contains some code which is clumsy, but does the work; the"
echo "following: it is populated with 'read FAKE ;' lines. That is just"
echo "someone's (mine, who knows no better yet), way to tell you to decide"
echo "to continue running the script hitting Enter or issue Ctrl-C to kill it."
echo
        read FAKE ;
echo
echo "Tell this script what your username is, so we can create the workspace."
read user ;
echo "If you are user $user and your homedir is /home/$user/ then this"
echo "script should work for you. If not, modify the script to suit you."
        read FAKE ;
echo "We create next two directories in your homedir, 'dLo' for the downloads,"
echo "and 'src' for the compilation. Will not create them if they exist,"
echo "but pls. you make sure that nothing in them obstructs this script,"
echo "meaning, we'll run command: 'mkdir -pv /home/$user/dLo/ /home/$user/src/'"
echo "A note is due here. If you don't have at least 12GB free in your homedir,"
echo "you need to modify the script or arrange in some other way such as to"
echo "make the /home/$user/src a symlink to somewhere with enough room for the"
echo "compilation"
        read FAKE ;
mkdir -pv /home/$user/dLo/ /home/$user/src/
echo ; echo ls -l /home/$user/dLo/ /home/$user/src/ ;
ls -l /home/$user/dLo/ /home/$user/src/
echo ; echo cd /home/$user/dLo/ ;
        read FAKE ;
cd /home/$user/dLo/ ; pwd ;
echo ; echo "We download next the kernel, the patch, the config to use."
echo "In case you already did, you'll see info and/or innocuous errors."
echo "I only want the script to work, can't polish it. Sorry!"
        read FAKE ;
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.13.6.tar.sign
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.13.6.tar.xz
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.13.6-201403122116.patch
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.13.6-201403122116.patch.sig
echo ; echo "A note about the config to use: it should work (I'll try this"
echo "script first thing after I finish this updating/rewriting it from the"
echo "previous version), it is sometimes the same as previous or next, just the"
echo "LOCALVERSION changes,"
echo "so you could use an older of the config, but the latest I offer at the time"
echo "updating this script is: config-3.13.3-grsec140219-03"
echo ;
        read FAKE ;
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.13.3-grsec140219-03.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.13.3-grsec140219-03.gz

echo ; echo "Import the necessary keys:"
echo  "gpg --recv-key 0x2525FE49"
        read FAKE ;
gpg --recv-key 0x2525FE49
echo  "gpg --recv-key 0x6092693E"
        read FAKE ;
gpg --recv-key 0x6092693E

echo ; echo "Import my key:"
echo  "gpg --recv-key 0x4FBAF0AE"
        read FAKE ;
gpg --recv-key 0x4FBAF0AE

echo "You can go offline now, internet not needed while compiling."
echo "I, myself, unplug the connection physically."

echo ; echo "Next, copy all downloads to /home/$user/src/"
        read FAKE ;
cp -iav linux-3.13.6.tar.* /home/$user/src/
cp -iav grsecurity-3.0-3.13.6-201403122116.patch* /home/$user/src/
cp -iav config-3.13.3-grsec140219-03* /home/$user/src/
cd /home/$user/src/ ; pwd
ls -l linux-3.13.6*
        read FAKE ;
echo ; echo unxz linux-3.13.6.tar.xz ;
        read FAKE ; 
 unxz linux-3.13.6.tar.xz ;
echo ; echo gpg --verify linux-3.13.6.tar.sign ;
        read FAKE ; 
 gpg --verify linux-3.13.6.tar.sign ;
echo ; echo gpg --verify grsecurity-3.0-3.13.6-201403122116.patch.sig;
        read FAKE ; 
 gpg --verify grsecurity-3.0-3.13.6-201403122116.patch.sig;
echo ; echo gunzip config-3.13.3-grsec140219-03.gz;
        read FAKE ; 
 gunzip config-3.13.3-grsec140219-03.gz;
echo ; echo gpg --verify config-3.13.3-grsec140219-03.sig ;
        read FAKE ; 
 gpg --verify config-3.13.3-grsec140219-03.sig ;
echo ; echo tar xvf linux-3.13.6.tar ;
        read FAKE ; 
 tar xvf linux-3.13.6.tar ;
echo ; echo cd linux-3.13.6;
        read FAKE ; 
 cd linux-3.13.6; pwd
echo ; echo "patch -p1 < ../grsecurity-3.0-3.13.6-201403122116.patch";
        read FAKE ; 
 patch -p1 < ../grsecurity-3.0-3.13.6-201403122116.patch
echo ; echo cd ../;
 cd ../ ; pwd
        read FAKE ; 
echo ; echo cp -iav config-3.13.3-grsec140219-03 linux-3.13.6/.config;
        read FAKE ; 
 cp -iav config-3.13.3-grsec140219-03 linux-3.13.6/.config
echo ; echo cd linux-3.13.6;
        read FAKE ; 
 cd linux-3.13.6
pwd
echo ; echo "Here we modify the LOCALVERSION variable to be -YYMMDD-HH"
locver=`date +%y%m%d-%H`
echo $locver
read FAKE ;
echo sed -i.bak "s/140219-03/$locver/" .config
read FAKE ;
sed -i.bak "s/140219-03/$locver/" .config
echo ; echo "And we need to check that we did what we meant:"
grep LOCALVERSION .config
echo ; echo "And we can also move the backup out of way if it went well."
mv -vi .config.bak ../ ;
echo ; echo make menuconfig;
        read FAKE ; 
echo "If here you will see the script complaining:"
echo "./grsec_debian_v3.13.6.sh: line 125: make: command not found"
echo "then you need to install the development tools. Don't worry,"
echo "nothing much. Pls. find instructions in some of my previous/later"
echo "posts in this Tip, or read the script itself at this point."
# Huh? You found it? Probably these commands would get you all you're missing at
# this point:
# # apt-get install build-essential fakeroot ;
# # apt-get build-dep linux ;
# #  apt-get install libncurses5-dev ;
# that's not an error '# #'. Run as root. If run as user I would write '# $'
# instead, where the first # is necessary to make those lines comments
# in both cases.
# And there's more, essential for Grsecurity/Pax install:
# # apt-get install gcc-4.8-plugin-dev
# The lines above I won't be checking, since I have dev tools installed.
# Reports are welcome.

 make menuconfig
echo ; echo "The diff .config below will only show differences if you edited"
echo "the config through the ncurses menuconfig interface. You may not and"
echo "you may need to, in case, say, you have some exotic hardware and"
echo "functionality is later found missing for you."
echo diff .config*;
 diff .config*
        echo
        echo ; echo "Now this, the next one, can be a longer one step \
              in the process..."
        echo
echo ; echo fakeroot make deb-pkg;
        read FAKE ; 
 fakeroot make deb-pkg


        echo ; echo "Here, the deb packages ought to be there..."
        read FAKE ; 
echo ; echo cd ../ ;
cd ../ ; pwd ;
        read FAKE ; 
ls -l *.deb
        echo ; echo "If you see the packages named linux-XXXXXX-grsec-XXX.deb ,"
        echo "above and if you already used paxctl on grub binaries as"
        echo "I took care to explain in detail in my Tips (above or linked"
        echo "somewhere, you're at your last step."
        echo ; echo "But, that step you need to execute as root, so it"
        echo "is not part of this script executed entire as user."
        read FAKE ; 
pwd
msgbeforeroot1="As root in directory /home/$user/src/ issue this command"
msgbeforeroot2="dpkg -i *.deb"
echo ; echo $msgbeforeroot1
echo ; echo "$msgbeforeroot2"

echo "And then, if no errors there, you can reboot."
echo "Upon rebooting, you too should get something like I did below:"
echo "Pls. look up the rest of the script, for that and for a message"
echo "to users of Debian GNU Linux"
# $ uname -a
# 
# $

# But I despise so much the fact that the best GNU Linux security is blocked
# and probably artificial, fabricated, manufactured issues introduced to arise
# in the Debian system once it is installed and Grsec kernel started and the
# system connects online, as I might be able to demonstrate that those issues I
# had since some old installations quite some weeks ago now (just go to
# forums.grsecurity.net in case you doubt my words). Reasons for my suspicion:
# no issues in the system until only offline, freshly cloned, as I do them,
# from other same hardware of my systems, safely offline, and strange issues
# arising solely after the system has connected to internet... And again, no
# issues with sysresccd booting and accessing internet from the same box.
#
# But, I was saying, I despise so much the fact that the best GNU Linux
# security is blocked from official Debian GNU Linux, that I intend to use my
# slow connection, a fraction speed of what I pay for, being myself a homeland
# living dissident whom the traitors in power in my Croatia try to keep under
# control through censorship like that and worse.. Illegally they do so, but
# those are a bunch of criminals, most of them, anyways... That exactly is what
# my friend Marko Francišković said to some of their servants, police officers,
# and is now paying for such words with being tortured, through being
# administered to him forcefully very hazardous medicaments like Zyprex (if I
# got the brand name of that sh*t correctly), and his life is in real danger.
#
# You can actually see Marko Francišković's brutal arrest by the police longer
# ago yet in a video that I linked to from the topic on Grsecurity Forums:
# "grsec: halting the system... kernel crash, the Debian side",
# just search for 'Marko Francišković'.
#
# But here the link, for convenience:
# Al Jazeera, Clashes on the Eve of EU Referendum, Francišković et. Al HRVATSKI
# https://www.youtube.com/watch?v=_dX-ek2mPaU
# 
# But I was saying that I so much despise the fact that the best GNU Linux
# security is blocked from official Debian GNU Linux, that I intend to use my
# slow connection, a fraction of what I pay for, to try and upload these
# Grsecurity patched Debian GNU Linux packages I compiled, on
# www.CroatiaFidelis.hr . And that task might take me quite a few hours or more
# hours time. I hope to do that with the new packages that I just made, as I am
# giving a final revision to this script for Grsec patched kernel 3.13.3 for
# Debian, as I successfully uploaded them for 3.12.8 .
# 
# That's the measure of my disgust of the Debian GNU Linux leaders having
# practically and effectively, and for all intents and puposes, banned
# Grsecurity from anything official in Debian GNU Linux, and throwing in, or
# facilitating such actions but someone else, fake errors to confuse new
# Grsecurity users, as I might be able to demonstrate, had I had the time.
# That behavior, suc hhostile action or arrangements, are, apart from being
# severe moral degradation in itself, against Debian declared social contract,
# isn't it?  Debian social contract forbids discrimination, and this is
# discrimination.
#
# Hey leaders of Debian, who behave like a bunch of crooks, you have a piece of
# commons, you have a property of, for short explanation, all good users in the
# world, a property which is there for all of us to benefit, and not for you to
# sell users with, through shady dealings with spy agencies and their
# associates like Google, your great friend...
# 
# Hey leaders of Debian, you have a piece of commons which you are not allowed
# to do anything against us users with, and you are doing that!
#
# But I already said, in the script for the 3.12.8, and was to repeat it now,
# and yet it is such a small effort to compile Grsecurity/Pax patched GNU Linux
# kernel for Debian GNU Linux, that a user who may only be considered somewhat
# advanced and never really a developer, can do it.
#
# It is, however, not a minor effort to demonstrate how new Grsecurity attempts
# at installing and using Grsecurity are deterred, or facilitated to be
# deterred, purposefully, so go and study my work so far to decide for yourself
# whether my bare words with no proofs as yet are to be, or not, taken with,
# and with how much, serious consideration, and whether my accusations against
# Debian leaders might be or are probably not at all baseless. Because efforts
# I will make to prove the above suspicion, but it is really huge effort that
# is needed, and my machines and my SOHO are under attack...  So I am not at
# all certain to succeed in doing so. Looking all the more unlikely to have the
# time to do so, is my later musing, as I revisit what I wrote, for the current
# version of the script...
# 
# Pls. let me know if this works for you, dear Debian GNU Linux user! Those who
# know how to compile, and those who hopefully learn how to compile through my
# Tips pages on Debian Forums, pls. get active. We have to get a branch in the
# Official Debian GNU Linux repositories, this way, some other way or in yet
# other fashion, shape or form, this huge injustice against us the users and
# against shiny honest developers Spender and Pax Team and other developers
# from their circle has to be reversed!
# 
# Miroslav Rovis, Zagreb, Croatia, Vankina 4, +385(0)16602633, +385(0)912660202
# (but you could only reach me if secret services here allow your call through,
# censorship in Croatia heavy and getting heavier yet)
# 
# miro.rovis@croatiafidelis.hr (but you have to be patient awaiting my replies,
# really!, and, sure, only if those evildoers let it through)
# 
# So the safest places to post a message to me, is on Debian Forums, and on
# Grsecurity Forums, the latter especially if you have private messages for me.
# But again, be patient awaiting for my replies!
# 
# Alternative sites, if www.CroatiaFidelis.hr "disappeared": www.exDeo.com and
# www.vankina2-10.com
# 
But, of course, there is the signed version, here:
http://www.croatiafidelis.hr/gnu/deb/gr ... v3.13.6.sh
http://www.croatiafidelis.hr/gnu/deb/gr ... 3.6.sh.sig
I checked it as I was letting my jigdo-automate script:
http://forums.debian.net/viewtopic.php? ... 23#p533823
do the work of replacing the old ISOs with the new ones...
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#23 Post by timbgo »

I checked the script while online for the throwaway system that I go online with.
I mean, in the sense that I wrote in some of my tips pages, maybe:

Poor User's Defences, Basic Anti-Surveillance for Debian
http://forums.debian.net/viewtopic.php?f=3&t=111906
(which is, lo and behold, moved to Offtopic! Good users, no worry! And use your sane judgement, without malice, and let us not be intimidated.)

But I compiled fine on my safe offline master clone system, and these deb packages should work for gentle readers' AMD64 arch machines.

I need to sort the page to be as the old one (but DON'T use this one):
http://www.croatiafidelis.hr/gnu/deb/li ... sec140219/
(ok, NOT that to use, but to look like that one)...

Use this:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/

And here the listing of it:

Code: Select all

 ls -l
-rw-r--r--    1 rovisnet rovisnet      666 Mar 15 06:08 SUMS
-rw-r--r--    1 rovisnet rovisnet      819 Mar 15 06:08 SUMS.sig
-rw-r--r--    1 rovisnet rovisnet   903122 Mar 15 06:08 linux-firmware-image-3.13.6-grsec140314-22_3.13.6-grsec140314-22-1_amd64.deb
-rw-r--r--    1 rovisnet rovisnet  6799122 Mar 15 06:10 linux-headers-3.13.6-grsec140314-22_3.13.6-grsec140314-22-1_amd64.deb
-rw-r--r--    1 rovisnet rovisnet 337868462 Mar 15 07:57 linux-image-3.13.6-grsec140314-22-dbg_3.13.6-grsec140314-22-1_amd64.deb
-rw-r--r--    1 rovisnet rovisnet 30382012 Mar 15 08:07 linux-image-3.13.6-grsec140314-22_3.13.6-grsec140314-22-1_amd64.deb
-rw-r--r--    1 rovisnet rovisnet   741326 Mar 15 08:07 linux-libc-dev_3.13.6-grsec140314-22-1_amd64.deb
So it's just:
linux-image-3.13.6-grsec140314-22-dbg_3.13.6-grsec140314-22-1_amd64.deb
that is some 320MB, the rest is lightweight.

That is all that is necessary, I'll try and improve the looks of it, but I just don't know when.
And, it's not just a week or two... it's, these packages for a little longer, probaly a few weeks from now that they can be installed and beneficially used.

Miroslav Rovis,
Zagreb, Croatia,
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#24 Post by timbgo »

Oh, as usual, testing grsecurity patches move rather fast.
So if you're compiling with my script, use the sed command that I gave somewhere above, and, since the patch is now:
https://grsecurity.net/test/grsecurity- ... 2112.patch
and surely so the signature, replace... or, better, here the command to run on my latest script:
$ sed -i.bak 's/3.0-3.13.6-201403122116/3.0-3.13.6-201403142112/g' grsec_debian_v3.13.6.sh
and then check, and compile.
Can't check that line now, tired, have to go.
Miroslav Rovis,
Zagreb, Croatia,
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#25 Post by timbgo »

I made a post, but it's too much off this Grsecurity topic, and decided to post it OffTopic:
Really Happened? 15e5510744048dc5473d05bfc028fbc2
http://forums.debian.net/viewtopic.php?f=3&t=113059
It's important. Pls. read it, here small part:

...
and search for the word youtube, you'll get to this address:

Code: Select all

# Al Jazeera, Clashes on the Eve of EU Referendum, Francišković et. Al
# HRVATSKI
# https://www.youtube.com/watch?v=_dX-ek2mPaU
Again, in clickable:

Al Jazeera, Clashes on the Eve of EU Referendum, Francišković et. Al HRVATSKI
https://www.youtube.com/watch?v=_dX-ek2mPaU

That's the paste of the title and the paste of the address.

Can anybody pls. paste over what opens up for them when they access that
address in their browser?
...

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#26 Post by timbgo »

I'll try and post new grsec packages, you can probably expect them in intervals as so far I mostly manage to keep, approx. every one month or so, on:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/

There are new packages there currently, the best for probably a week or more to come, and useable for longer actually.

I can't promise anything, as I already stated in many places, along with the reasons.

I hope my contribution is not completely negligeable for a better GNU free world.

I'll try and post the better newer version of the script for compiling below.

Thank you!

Miroslav Rovis,
Zagreb, Croatia,
http://www.CroatiaFidelis.hr

grsec_debian_install_00.sh

Code: Select all

#!/bin/bash
#
# This is grsec_debian_compile_v010.sh
#
# copyright  Miroslav Rovis, Zagreb, Croatia, www.CroatiaFidelis.hr
# (the above needs to be cited if the script is modified/further developed,
# even if my NGO Croatia Fidelis were to be shut down by my country's regime,
# as well as if the script is used as basis for later kernel versions
# patching and compilations)
#
# licenced under GNU v3.0 or later, at your choice
#
# How to use this script?
# =======================
# In case of issues, the user needs to consult official Debian documentation,
# such as Debian Kernel Handbook, as well as Grsecurity documentation, and
# other documentation and manuals, wikis and forums.
# 'chmod 755 grsec_debian_compile_v010.sh' once you downloaded this script, place
# it, best, in your homedir, and follow instructions as you run it. If you
# encounter problems, modify for your needs. Also, pls. report errors on Debian
# Forums where I made the Tips page:
# "Grsecurity/Pax installation on Debian GNU Linux"
# but pls. if you will be waiting for my replies, it could take days and longer
# sometimes. Thank you!
#
echo
echo "  Caveat emptor! " 
echo
echo "  Do not use this script if you do not understand  " 
echo " what you are doing. You are responsible if anything "
echo " breaks in your system (possible!) "
echo
echo " OTOH, maybe you could open it in another terminal for "
echo " perusing each next step before hitting Enter to run "
echo " that next step, one by one in this terminal."
echo " Of course you should be checking yourself how the script is"
echo " faring, are the commands doing the intended and all."
echo " This is GNU Linux after all."
echo
echo "The script contains some code which is clumsy, but does the work; the"
echo "following: it is populated with 'read FAKE ;' lines. That is just"
echo "someone's (mine, who knows no better yet), way to tell you to decide"
echo "to continue running the script hitting Enter or issue Ctrl-C to kill it."
echo
        read FAKE ;
echo
echo "Tell this script what your username is, so we can create the workspace."
read user ;
echo "If you are user $user and your homedir is /home/$user/ then this"
echo "script should work for you. If not, modify the script to suit you."
        read FAKE ;
echo "We create next two directories in your homedir, 'dLo' for the downloads,"
echo "and 'src' for the compilation. Will not create them if they exist,"
echo "but pls. you make sure that nothing in them obstructs this script,"
echo "meaning, we'll run command: 'mkdir -pv /home/$user/dLo/ /home/$user/src/'"
echo "A note is due here. If you don't have at least 12GB free in your homedir,"
echo "you need to modify the script or arrange in some other way such as to"
echo "make the /home/$user/src a symlink to somewhere with enough room for the"
echo "compilation"
        read FAKE ;
mkdir -pv /home/$user/dLo/ /home/$user/src/
echo ; echo ls -l /home/$user/dLo/ /home/$user/src/ ;
ls -l /home/$user/dLo/ /home/$user/src/
echo ; echo cd /home/$user/dLo/ ;
        read FAKE ;
cd /home/$user/dLo/ ; pwd ;
echo "Give the name of the grsecurity patch (that we need to get) without"
echo "extension, such as grsecurity-3.0-3.13.6-201403122116 (as is found on"
echo "download page on grsecurity.net:"
read grsec ;
echo "Give the name of the kernel (that we need to get) such as linux-3.13.6"
echo "as is found for download (or can be guessed from grsecurity patch's name)"
echo "on kernel.org:"
read kernel ;
echo "Give the name of the (old) config file (that we need to get) usually the"
echo "from last compile, from www.croatiafidelis.hr/gnu/deb/, no extension, such"
echo "as: config-3.13.3-grsec140219-03"
read config
echo ; echo "We download next the kernel, the patch, the config to use."
echo "In case you already did, you'll see info and/or innocuous errors."
echo "I only want the script to work, can't polish it. Sorry!"
        read FAKE ;
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/$kernel.tar.sign
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/$kernel.tar.xz
wget -nc https://www.grsecurity.net/test/$grsec.patch
wget -nc https://www.grsecurity.net/test/$grsec.patch.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/$config.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/$config.gz

echo ; echo "Import the necessary keys:"
echo  "gpg --recv-key 0x2525FE49"
        read FAKE ;
gpg --recv-key 0x2525FE49
echo  "gpg --recv-key 0x6092693E"
        read FAKE ;
gpg --recv-key 0x6092693E

echo ; echo "Import my key:"
echo  "gpg --recv-key 0x4FBAF0AE"
        read FAKE ;
gpg --recv-key 0x4FBAF0AE

echo "You can go offline now, internet not needed while compiling."
echo "I, myself, unplug the connection physically."

echo ; echo "Next, copy all downloads to /home/$user/src/"
        read FAKE ;
cp -iav $kernel.tar.* /home/$user/src/
cp -iav $grsec.patch* /home/$user/src/
cp -iav $config* /home/$user/src/
cd /home/$user/src/ ; pwd
ls -l $kernel*
        read FAKE ;
echo ; echo unxz $kernel.tar.xz ;
        read FAKE ; 
 unxz $kernel.tar.xz ;
echo ; echo gpg --verify $kernel.tar.sign ;
        read FAKE ; 
 gpg --verify $kernel.tar.sign ;
echo ; echo gpg --verify $grsec.patch.sig;
        read FAKE ; 
 gpg --verify $grsec.patch.sig;
echo ; echo gunzip $config.gz;
        read FAKE ; 
 gunzip $config.gz;
echo ; echo gpg --verify $config.sig ;
        read FAKE ; 
 gpg --verify $config.sig ;
echo ; echo tar xvf $kernel.tar ;
        read FAKE ; 
 tar xvf $kernel.tar ;
echo ; echo cd $kernel;
        read FAKE ; 
 cd $kernel; pwd
echo ; echo "patch -p1 < ../$grsec.patch";
        read FAKE ; 
 patch -p1 < ../$grsec.patch
echo ; echo cd ../;
 cd ../ ; pwd
        read FAKE ; 
echo ; echo cp -iav $config $kernel/.config;
        read FAKE ; 
 cp -iav $config $kernel/.config
echo ; echo cd $kernel;
        read FAKE ; 
 cd $kernel
pwd
echo ; echo "Here we modify the LOCALVERSION variable to be -YYMMDD-HH"
locver=`date +%y%m%d-%H`
echo $locver
read FAKE ;
oldloc=`grep CONFIG_LOCALVERSION= .config|cut -d'"' -f2`
echo sed -i.bak "s/$oldloc/$locver/" .config
read FAKE ;
echo sed -i.bak "s/$oldloc/$locver/" .config
echo ; echo "And we need to check that we did what we meant:"
grep LOCALVERSION .config
echo ; echo "And we can also move the backup out of way if it went well."
mv -vi .config.bak ../ ;
echo ; echo make menuconfig;
        read FAKE ; 
echo "If here you will see the script complaining:"
echo "./grsec_debian_compile_v010.sh: line 125: make: command not found"
echo "then you need to install the development tools. Don't worry,"
echo "nothing much. Pls. find instructions in some of my previous/later"
echo "posts in this Tip, or read the script itself at this point."
# Huh? You found it? Probably these commands would get you all you're missing at
# this point:
# # apt-get install build-essential fakeroot ;
# # apt-get build-dep linux ;
# #  apt-get install libncurses5-dev ;
# that's not an error '# #'. Run as root. If run as user I would write '# $'
# instead, where the first # is necessary to make those lines comments
# in both cases.
# And there's more, essential for Grsecurity/Pax install:
# # apt-get install gcc-4.8-plugin-dev
# The lines above I won't be checking, since I have dev tools installed.
# Reports are welcome.

 make menuconfig
echo ; echo "The diff .config below will only show differences if you edited"
echo "the config through the ncurses menuconfig interface. You may not and"
echo "you may need to, in case, say, you have some exotic hardware and"
echo "functionality is later found missing for you."
echo diff .config*;
 diff .config*
        echo
        echo ; echo "Now this, the next one, can be a longer one step \
              in the process..."
        echo
echo ; echo fakeroot make deb-pkg;
        read FAKE ; 
 fakeroot make deb-pkg


        echo ; echo "Here, the deb packages ought to be there..."
        read FAKE ; 
echo ; echo cd ../ ;
cd ../ ; pwd ;
        read FAKE ; 
ls -l *.deb
        echo ; echo "If you see the packages named linux-XXXXXX-grsec-XXX.deb ,"
        echo "above and if you already used paxctl on grub binaries as"
        echo "I took care to explain in detail in my Tips (above or linked"
        echo "somewhere), you're at your last step."
        echo ; echo "But, that step you need to execute as root, so it"
        echo "is not part of this script executed entire as user."
        read FAKE ; 
pwd
msgbeforeroot1="As root in directory /home/$user/src/ issue this command"
msgbeforeroot2="dpkg -i *.deb"
echo ; echo $msgbeforeroot1
echo ; echo "$msgbeforeroot2"

echo "And then, if no errors there, you can reboot."
echo "Upon rebooting, you too should get something like I did below:"
echo "Pls. look up the rest of the script, for that and for a message"
echo "to users of Debian GNU Linux"
# $ uname -a
# 
# $

# But I despise so much the fact that the best GNU Linux security is blocked
# and probably artificial, fabricated, manufactured issues introduced to arise
# in the Debian system once it is installed and Grsec kernel started and the
# system connects online, as I might be able to demonstrate that those issues I
# had since some old installations quite some weeks ago now (just go to
# forums.grsecurity.net in case you doubt my words). Reasons for my suspicion:
# no issues in the system until only offline, freshly cloned, as I do them,
# from other same hardware of my systems, safely offline, and strange issues
# arising solely after the system has connected to internet... And again, no
# issues with sysresccd booting and accessing internet from the same box.
#
# But, I was saying, I despise so much the fact that the best GNU Linux
# security is blocked from official Debian GNU Linux, that I intend to use my
# slow connection, a fraction speed of what I pay for, being myself a homeland
# living dissident whom the traitors in power in my Croatia try to keep under
# control through censorship like that and worse.. Illegally they do so, but
# those are a bunch of criminals, most of them, anyways... That exactly is what
# my friend Marko Francišković said to some of their servants, police officers,
# and is now paying for such words with being tortured, through being
# administered to him forcefully very hazardous medicaments like Zyprex (if I
# got the brand name of that sh*t correctly), and his life is in real danger.
#
# You can actually see Marko Francišković's brutal arrest by the police longer
# ago yet in a video that I linked to from the topic on Grsecurity Forums:
# "grsec: halting the system... kernel crash, the Debian side",
# just search for 'Marko Francišković'.
#
# But here the link, for convenience:
# Al Jazeera, Clashes on the Eve of EU Referendum, Francišković et. Al HRVATSKI
# https://www.youtube.com/watch?v=_dX-ek2mPaU
# 
# But I was saying that I so much despise the fact that the best GNU Linux
# security is blocked from official Debian GNU Linux, that I intend to use my
# slow connection, a fraction of what I pay for, to try and upload these
# Grsecurity patched Debian GNU Linux packages I compiled, on
# www.CroatiaFidelis.hr . And that task might take me quite a few hours or more
# hours time. I hope to do that with the new packages that I just made, as I am
# giving a final revision to this script for Grsec patched kernel 3.13.6 for
# Debian, as I successfully uploaded them for 3.12.8 .
# 
# That's the measure of my disgust of the Debian GNU Linux leaders having
# practically and effectively, and for all intents and puposes, banned
# Grsecurity from anything official in Debian GNU Linux, and throwing in, or
# facilitating such actions but someone else, fake errors to confuse new
# Grsecurity users, as I might be able to demonstrate, had I had the time.
# That behavior, suc hhostile action or arrangements, are, apart from being
# severe moral degradation in itself, against Debian declared social contract,
# isn't it?  Debian social contract forbids discrimination, and this is
# discrimination.
#
# Hey leaders of Debian, who behave like a bunch of crooks, you have a piece of
# commons, you have a property of, for short explanation, all good users in the
# world, a property which is there for all of us to benefit, and not for you to
# sell users with, through shady dealings with spy agencies and their
# associates like Google, your great friend...
# 
# Hey leaders of Debian, you have a piece of commons which you are not allowed
# to do anything against us users with, and you are doing that!
#
# But I already said, in the script for the 3.12.8, and was to repeat it now,
# and yet it is such a small effort to compile Grsecurity/Pax patched GNU Linux
# kernel for Debian GNU Linux, that a user who may only be considered somewhat
# advanced and never really a developer, can do it.
#
# It is, however, not a minor effort to demonstrate how new Grsecurity attempts
# at installing and using Grsecurity are deterred, or facilitated to be
# deterred, purposefully, so go and study my work so far to decide for yourself
# whether my bare words with no proofs as yet are to be, or not, taken with,
# and with how much, serious consideration, and whether my accusations against
# Debian leaders might be or are probably not at all baseless. Because efforts
# I will make to prove the above suspicion, but it is really huge effort that
# is needed, and my machines and my SOHO are under attack...  So I am not at
# all certain to succeed in doing so. Looking all the more unlikely to have the
# time to do so, is my later musing, as I revisit what I wrote, for the current
# version of the script...
# 
# Pls. let me know if this works for you, dear Debian GNU Linux user! Those who
# know how to compile, and those who hopefully learn how to compile through my
# Tips pages on Debian Forums, pls. get active. We have to get a branch in the
# Official Debian GNU Linux repositories, this way, some other way or in yet
# other fashion, shape or form, this huge injustice against us the users and
# against shiny honest developers Spender and Pax Team and other developers
# from their circle has to be reversed!
# 
# Miroslav Rovis, Zagreb, Croatia, Vankina 4, +385(0)16602633, +385(0)912660202
# (but you could only reach me if secret services here allow your call through,
# censorship in Croatia heavy and getting heavier yet)
# 
# miro.rovis@croatiafidelis.hr (but you have to be patient awaiting my replies,
# really!, and, sure, only if those evildoers let it through)
# 
# So the safest places to post a message to me, is on Debian Forums, and on
# Grsecurity Forums, the latter especially if you have private messages for me.
# But again, be patient awaiting for my replies!
# 
# Alternative sites, if www.CroatiaFidelis.hr "disappeared": www.exDeo.com and
# www.vankina2-10.com
# 
If ther aren't some losses in the html of the server on anywhere on the way from me to this Forums server, or further to the readers, and if you know how to use the signature below, here it is for your checking. That is just in case the http://www.CroatiaFidelis.hr for some reason became unavailable:

grsec_debian_install_00.sh.sig

Code: Select all

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCgAGBQJTSJjNAAoJEOqYhIhPuvCuAvYP/Rm7aoZUXQxWp2ZfnKx6z6QG
5qsjVpu/whTA4sQCV62+ESDgLO8cNyUsMSzsqLPYvK5l906apHIc0Iwi1T5YK85x
weWZL9krUSO+m3yz3PeYUQm6Tcrspad0IbeLQsGOu8dxjhS04ipQgQ+qZs/9riYK
ZNX43Wt4g2ig9PIuHEsrNAiFFRTGwmPPa4opL6Oi6B/F/pVXEZigjG8P22sy6/+q
4rrycWxbEctQW9UHEXnBm4BlBbl4mjZhRBrdJBkUkaEfCZw3DoyYyEZVR/Ws/2o/
ggf+SJWfDV1Y2pcouTWkso+gQn+Jrt7ZCUYNqDT5ozSRgqVbmrbIJMhEo1+bo+jZ
jwAs12u0KjlsnScDHNMSFAm1AhqEBGrQ3A3uR72nCc5ukFN63ZPkaoWkMoDAs3AW
2RZEQUynRy3GoQJjYSWjc/6s1WjWe7eXwWwZfS0Pg4ci14XRj9MUMNcHGpV2PBi5
Oj4DXozWaZLPLgIFZgHwyIQgKFPv7nAySDU0YxVv/D+RBfy2eerU0lU/jnHibucR
TQ9x3Ign0Z977GzuzH3M3AqRFTg1S5j55HuIyiu/VS3yU+SIIgcHb65AZlsFD39O
9BhkBBPxNokY4ZP7J2MsSzz1dYPNWixF7dc6Ys/gkivZa5VEpPUeoHJLiY4cJZ0d
9ZsbTtmG9s5ZA9x1hD+v
=A6Gm
-----END PGP SIGNATURE-----
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#27 Post by timbgo »

Oh yest, I forgot something.
Old packages will be deleted. Those that anyway are not anymore recommended, because they have been obsoleted.
I am running out of space on the server hosting
CroatiaFidelis.hr
Thank you.
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#28 Post by timbgo »

There are new packages in the current folder:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/

Also, while compiling, I notice the latest script was misnamed in its own text,
(look up the before-latest here:
http://croatiafidelis.hr/gnu/deb/linux- ... sec140411/
right at the top, the script I talk in the first line and worse, it didn't replace the
old LOCALVERSION with the new, because I forgot to remove one literal
string 'echo' where that sed line is..

Hopefully more coming.

Thanks everybody for the interest!

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#29 Post by timbgo »

Still familiarizing with git, but I think I'll be keeping the script there from now:

https://github.com/miroR/grsec-deb-compile

I'll try and see if I made any typos now compiling:

grsecurity-3.0-3.14.4-201405141623.patch
on, obviously, 3.14.4 kernel.

Miro
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#30 Post by timbgo »

The grsec-deb-compile.sh from the github above, has nothing new, is same as,
only cleaned-up a little, as the previous script a little further above, but
for this line:
The diff .config below will only show differences if you edited
the config through the ncurses menuconfig interface. You may and you may
not need to. You may in case, say, you have some exotic hardware and
functionality is later found missing for you. However, only in rare
cases, only those that also in non-Grsec kernel you would need to, and
those are rare, only where regular Debian kernel which config I base
this compile on, would have issues.
Let me explain. I try and use the expertize that the team building regular
Debian kernel employ. I do that having in mind others who would want to either
compile Grsec kerel using this script, or who would download and install my
packages for their systems, I don't need all those modules for my own hardware
(I actually planned to always recompile to get rid of all the plethora of
modules that I don't need for my hardware, but that lost precedence after more
important work of trying to offer good working script and good working
packages... I'm usually a little tired once I'm done with the compile as is).

I actually tried to see what configuration file I would get based on the
previous, three weeks ago kernel, earlier 3.14.x version, as well as what
configuration I would get if I combined that earlier version with the configuration
file that I got when I installed the latest kernel prepared by the Debian
kernel team.

That kernel you can see, if you downloaded and installed this week's jigdo DVDs
( you can use jigdo-automate-scripts to add a helping layer of automation to
downloading them, as I explained here:
Scripts to automate jigdo download
http://forums.debian.net/viewtopic.php?f=16&t=110503
on that Debian Forums Tips page):

Code: Select all

# apt-cache search linux|egrep '^linux-image-3.14'
(that is a "^", caret character, in front of "linux-...", if you have older software, not latest jigdo testing installed, than search for just '^linux-image-3.1' to see what you have)

That line returns to me:

Code: Select all

linux-image-3.14-1-amd64 - Linux 3.14 for 64-bit PCs
I installed that newest kernel exactly for the purpose I mentioned above. I
want as much as possible hardware supported.

And so latest configs to do this comparison, are in my /boot, and I posted some
of them for you to see.

In the dir:
http://www.croatiafidelis.hr/gnu/deb/co ... _testcase/

there are, signed and gzipped:
config-3.14-1-amd64
config-3.14.4-grsec140521-02

The latter is the 3.14.4 config that I got based on the previous 3.14.2
grsec-deb-compile.sh produced packages, that I posted as current three weeks
ago. Obviously now they are in the porcess of being relegated to old and later
deleted.

And the first is the config that:

Code: Select all

# apt-get install linux-image-3.14-1-amd64
installed.

config-3.14.4-grsec140521-02 is a config file of the actually produces
packages, but as you will see, there is a little support lacking for some
hardware in it, so I am not publishing those packages.

Instead, the packages I will post, and the config that I posted and recommend
for people to give as input into grsec-deb-compile.sh script (along with latest
the grsecurity patch for 3.14.4 and the kernel 3.14.4) is packages based, and
input of this, config file:

http://www.croatiafidelis.hr/gnu/deb/co ... 0521-10.gz
http://www.croatiafidelis.hr/gnu/deb/co ... 521-10.sig

Let me explain why.

I'll do it by showing you the diff.

diff config-3.14.4-grsec140521-02 config-3.14.4-grsec140521-10

Code: Select all

53c53
< CONFIG_LOCALVERSION="140521-02"
---
> CONFIG_LOCALVERSION="140521-10"
142c142,144
< # CONFIG_NUMA_BALANCING is not set
---
> CONFIG_ARCH_USES_NUMA_PROT_NONE=y
> # CONFIG_NUMA_BALANCING_DEFAULT_ENABLED is not set
> CONFIG_NUMA_BALANCING=y
241a244
> CONFIG_HAVE_CLK=y
357c360
< # CONFIG_X86_INTEL_LPSS is not set
---
> CONFIG_X86_INTEL_LPSS=y
426c429
< # CONFIG_X86_MSR is not set
---
> CONFIG_X86_MSR=m
509c512
< CONFIG_PHYSICAL_ALIGN=0x1000000
---
> CONFIG_PHYSICAL_ALIGN=0x200000
535a539
> CONFIG_PM_CLK=y
570c574
< # CONFIG_ACPI_EXTLOG is not set
---
> CONFIG_ACPI_EXTLOG=y
687c691
< # CONFIG_X86_SYSFB is not set
---
> CONFIG_X86_SYSFB=y
790c794
< # CONFIG_IPV6_VTI is not set
---
> CONFIG_IPV6_VTI=m
853c857,872
< # CONFIG_NF_TABLES is not set
---
> CONFIG_NETFILTER_SYNPROXY=m
> CONFIG_NF_TABLES=m
> CONFIG_NF_TABLES_INET=m
> CONFIG_NFT_EXTHDR=m
> CONFIG_NFT_META=m
> CONFIG_NFT_CT=m
> CONFIG_NFT_RBTREE=m
> CONFIG_NFT_HASH=m
> CONFIG_NFT_COUNTER=m
> CONFIG_NFT_LOG=m
> CONFIG_NFT_LIMIT=m
> CONFIG_NFT_NAT=m
> CONFIG_NFT_QUEUE=m
> CONFIG_NFT_REJECT=m
> CONFIG_NFT_REJECT_INET=m
> CONFIG_NFT_COMPAT=m
897c916
< # CONFIG_NETFILTER_XT_MATCH_CGROUP is not set
---
> CONFIG_NETFILTER_XT_MATCH_CGROUP=m
915c934
< # CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
---
> CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
951c970
< # CONFIG_IP_SET_HASH_NETPORTNET is not set
---
> CONFIG_IP_SET_HASH_NETPORTNET=m
953c972
< # CONFIG_IP_SET_HASH_NETNET is not set
---
> CONFIG_IP_SET_HASH_NETNET=m
1003a1023,1027
> CONFIG_NF_TABLES_IPV4=m
> CONFIG_NFT_CHAIN_ROUTE_IPV4=m
> CONFIG_NFT_CHAIN_NAT_IPV4=m
> CONFIG_NFT_REJECT_IPV4=m
> CONFIG_NF_TABLES_ARP=m
1011c1035
< # CONFIG_IP_NF_TARGET_SYNPROXY is not set
---
> CONFIG_IP_NF_TARGET_SYNPROXY=m
1024c1048
< CONFIG_IP_NF_TARGET_TTL=m
---
> # CONFIG_IP_NF_TARGET_TTL is not set
1034a1059,1062
> CONFIG_NF_TABLES_IPV6=m
> CONFIG_NFT_CHAIN_ROUTE_IPV6=m
> CONFIG_NFT_CHAIN_NAT_IPV6=m
> CONFIG_NFT_REJECT_IPV6=m
1040c1068
< CONFIG_IP6_NF_MATCH_HL=m
---
> # CONFIG_IP6_NF_MATCH_HL is not set
1045c1073
< CONFIG_IP6_NF_TARGET_HL=m
---
> # CONFIG_IP6_NF_TARGET_HL is not set
1048c1076
< # CONFIG_IP6_NF_TARGET_SYNPROXY is not set
---
> CONFIG_IP6_NF_TARGET_SYNPROXY=m
1058a1087
> CONFIG_NF_TABLES_BRIDGE=m
1177,1178c1206,1207
< # CONFIG_NET_SCH_HHF is not set
< # CONFIG_NET_SCH_PIE is not set
---
> CONFIG_NET_SCH_HHF=m
> CONFIG_NET_SCH_PIE=m
1196,1197c1225,1226
< CONFIG_NET_CLS_CGROUP=y
< # CONFIG_NET_CLS_BPF is not set
---
> CONFIG_NET_CLS_CGROUP=m
> CONFIG_NET_CLS_BPF=m
1239c1268
< # CONFIG_CGROUP_NET_PRIO is not set
---
> CONFIG_CGROUP_NET_PRIO=m
1449,1451c1478,1479
< # CONFIG_NFC_DIGITAL is not set
< CONFIG_NFC_NCI=m
< # CONFIG_NFC_NCI_SPI is not set
---
> CONFIG_NFC_DIGITAL=m
> # CONFIG_NFC_NCI is not set
1459c1487
< # CONFIG_NFC_MRVL is not set
---
> CONFIG_NFC_PORT100=m
1589c1617,1618
< # CONFIG_MTD_NAND_ECC_BCH is not set
---
> CONFIG_MTD_NAND_BCH=m
> CONFIG_MTD_NAND_ECC_BCH=y
1638c1667
< # CONFIG_BLK_DEV_NULL_BLK is not set
---
> CONFIG_BLK_DEV_NULL_BLK=m
1656c1685
< # CONFIG_BLK_DEV_SKD is not set
---
> CONFIG_BLK_DEV_SKD=m
1680a1710
> # CONFIG_ATMEL_PWM is not set
1702,1703c1732
< CONFIG_BMP085=y
< CONFIG_BMP085_I2C=m
---
> # CONFIG_BMP085_I2C is not set
1742c1771
< # CONFIG_INTEL_MIC_HOST is not set
---
> CONFIG_INTEL_MIC_HOST=m
1827c1856
< # CONFIG_SCSI_ESAS2R is not set
---
> CONFIG_SCSI_ESAS2R=m
2252,2254c2281,2283
< # CONFIG_I40E_VXLAN is not set
< # CONFIG_I40E_DCB is not set
< # CONFIG_I40EVF is not set
---
> CONFIG_I40E_VXLAN=y
> CONFIG_I40E_DCB=y
> CONFIG_I40EVF=m
2416c2445
< # CONFIG_USB_NET_HUAWEI_CDC_NCM is not set
---
> CONFIG_USB_NET_HUAWEI_CDC_NCM=m
2420c2449
< # CONFIG_USB_NET_SR9800 is not set
---
> CONFIG_USB_NET_SR9800=m
2532c2561,2563
< # CONFIG_BRCMFMAC is not set
---
> CONFIG_BRCMFMAC=m
> CONFIG_BRCMFMAC_SDIO=y
> # CONFIG_BRCMFMAC_USB is not set
2762a2794
> # CONFIG_KEYBOARD_SAMSUNG is not set
2879c2911
< # CONFIG_TOUCHSCREEN_TSC_SERIO is not set
---
> CONFIG_TOUCHSCREEN_TSC_SERIO=m
2881a2914
> CONFIG_TOUCHSCREEN_W90X900=m
2883c2916
< # CONFIG_TOUCHSCREEN_SUR40 is not set
---
> CONFIG_TOUCHSCREEN_SUR40=m
3018a3052
> # CONFIG_HW_RANDOM_ATMEL is not set
3020a3055
> # CONFIG_HW_RANDOM_EXYNOS is not set
3042,3044c3077,3079
< # CONFIG_TCG_TIS_I2C_ATMEL is not set
< # CONFIG_TCG_TIS_I2C_INFINEON is not set
< # CONFIG_TCG_TIS_I2C_NUVOTON is not set
---
> CONFIG_TCG_TIS_I2C_ATMEL=m
> CONFIG_TCG_TIS_I2C_INFINEON=m
> CONFIG_TCG_TIS_I2C_NUVOTON=m
3048,3049c3083,3084
< # CONFIG_TCG_ST33_I2C is not set
< # CONFIG_TCG_XEN is not set
---
> CONFIG_TCG_ST33_I2C=m
> CONFIG_TCG_XEN=m
3062a3098
> # CONFIG_I2C_MUX_PINCTRL is not set
3103c3139
< # CONFIG_I2C_DESIGNWARE_PLATFORM is not set
---
> CONFIG_I2C_DESIGNWARE_PLATFORM=m
3185a3222,3230
> CONFIG_PINCTRL=y
> 
> #
> # Pin controllers
> #
> # CONFIG_PINMUX is not set
> # CONFIG_PINCONF is not set
> # CONFIG_DEBUG_PINCTRL is not set
> # CONFIG_PINCTRL_BAYTRAIL is not set
3438c3483
< # CONFIG_ACPI_INT3403_THERMAL is not set
---
> CONFIG_ACPI_INT3403_THERMAL=m
3714c3759,3761
< # CONFIG_VIDEO_STK1160_COMMON is not set
---
> CONFIG_VIDEO_STK1160_COMMON=m
> CONFIG_VIDEO_STK1160_AC97=y
> CONFIG_VIDEO_STK1160=m
3782c3829
< # CONFIG_VIDEO_EM28XX_V4L2 is not set
---
> CONFIG_VIDEO_EM28XX_V4L2=m
3886c3933
< # CONFIG_USB_RAREMONO is not set
---
> CONFIG_USB_RAREMONO=m
3953a4001
> CONFIG_VIDEO_TVP5150=m
3973a4022
> CONFIG_VIDEO_MT9V011=m
4178c4227
< # CONFIG_DRM_LOAD_EDID_FIRMWARE is not set
---
> CONFIG_DRM_LOAD_EDID_FIRMWARE=y
4317c4366
< # CONFIG_FB_SIMPLE is not set
---
> CONFIG_FB_SIMPLE=y
4541c4590
< # CONFIG_HID_ELO is not set
---
> CONFIG_HID_ELO=m
4597c4646
< # CONFIG_HID_XINMO is not set
---
> CONFIG_HID_XINMO=m
4751c4800
< # CONFIG_USB_SERIAL_MXUPORT is not set
---
> CONFIG_USB_SERIAL_MXUPORT=m
4887a4937,4938
> # CONFIG_MMC_SDHCI_PXAV3 is not set
> # CONFIG_MMC_SDHCI_PXAV2 is not set
5223c5274
< # CONFIG_COMEDI_MF6X4 is not set
---
> CONFIG_COMEDI_MF6X4=m
5276,5277c5327,5330
< # CONFIG_R8188EU is not set
< # CONFIG_R8821AE is not set
---
> CONFIG_R8188EU=m
> CONFIG_88EU_AP_MODE=y
> CONFIG_88EU_P2P=y
> CONFIG_R8821AE=m
5280c5333,5334
< # CONFIG_RTS5208 is not set
---
> CONFIG_RTS5208=m
> # CONFIG_RTS5208_DEBUG is not set
5469c5523
< # CONFIG_HP_WIRELESS is not set
---
> CONFIG_HP_WIRELESS=m
5507c5561,5571
< # CONFIG_CHROME_PLATFORMS is not set
---
> CONFIG_CHROME_PLATFORMS=y
> CONFIG_CHROMEOS_LAPTOP=m
> CONFIG_CHROMEOS_PSTORE=m
> CONFIG_CLKDEV_LOOKUP=y
> CONFIG_HAVE_CLK_PREPARE=y
> CONFIG_COMMON_CLK=y
> 
> #
> # Common Clock Framework
> #
> # CONFIG_COMMON_CLK_SI5351 is not set
5663c5727
< # CONFIG_HID_SENSOR_INCLINOMETER_3D is not set
---
> CONFIG_HID_SENSOR_INCLINOMETER_3D=m
5694c5758,5759
< # CONFIG_POWERCAP is not set
---
> CONFIG_POWERCAP=y
> CONFIG_INTEL_RAPL=m
5947c6012
< # CONFIG_CEPH_FS_POSIX_ACL is not set
---
> CONFIG_CEPH_FS_POSIX_ACL=y
6062c6127
< CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x1
---
> CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x01b6
6474c6539
< # CONFIG_CRYPTO_CRCT10DIF_PCLMUL is not set
---
> CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
6485,6486c6550,6551
< # CONFIG_CRYPTO_SHA256_SSSE3 is not set
< # CONFIG_CRYPTO_SHA512_SSSE3 is not set
---
> CONFIG_CRYPTO_SHA256_SSSE3=m
> CONFIG_CRYPTO_SHA512_SSSE3=m
6506,6507c6571,6572
< # CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64 is not set
< # CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 is not set
---
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
6510c6575
< # CONFIG_CRYPTO_CAST5_AVX_X86_64 is not set
---
> CONFIG_CRYPTO_CAST5_AVX_X86_64=m
6512c6577
< # CONFIG_CRYPTO_CAST6_AVX_X86_64 is not set
---
> CONFIG_CRYPTO_CAST6_AVX_X86_64=m
6522c6587
< # CONFIG_CRYPTO_SERPENT_AVX2_X86_64 is not set
---
> CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
6550c6615,6617
< # CONFIG_CRYPTO_DEV_CCP is not set
---
> CONFIG_CRYPTO_DEV_CCP=y
> CONFIG_CRYPTO_DEV_CCP_DD=m
> CONFIG_CRYPTO_DEV_CCP_CRYPTO=m
6596c6663
< CONFIG_CRC8=m
---
> # CONFIG_CRC8 is not set
6622a6690
> CONFIG_BCH=m
That diff reflects changes in the kernel, the advancements of different
methods, and relinquishing of others, and also changes in harware support since
the last one Debian kernel team's config that I based my packages on.

No, I'm not an expert, I do not understand all the stories on all the
particular modules. The gist I do grasp very well.

What I need to say here also is, the important changes for us who build
Grsecurity kernels, are not in the diff. Because I used exactly the same
configuration (I did that part manually, but comparing the 3.14.2 based .config
in one menuconfig, on the 3.14.4-grsec140521-02 old linux sources which I had
already built, with, in another terminal, the 3.14.4-grsec140521-10 linux
sources that only yet were to be built) for Grsecurity.

And, of course, importantly for us, removing all the reminiscence, as much as that
can be done, of the NSA SELinux and some other "security" options, but really
spying-excused-on-security, according to many voices, all of them getting all
the more stifled in the bigbrotherly Orwellian world of today.

And I believe my packages do have all the hardware support that regular
(SELinux on top, that is what we want without) Debian GNU/Linux kernel, which I
base my packages upon, have.

But I'm not an expert. This is my best try to make matters more honest.

Support, advice, help, will be welcome.

And I made a huge time expenditure, which I can not really cover for. I'm out
for a while now (other than being around a little longer to be able to follow
on replies, if any).

Miroslav Rovis
http://www.CroatiaFidelis.hr

P.S. I really was to go, but I remembered the other efforts in applying
Grsecurity into Debian, as:

https://wiki.debian.org/Mempo
and
http://molly.corsac.net/~corsac/debian/ ... /packages/

which both build on wheezy.

( pls. see Debian official stance on Grsecurity:
https://wiki.debian.org/grsecurity )

I hope those are sooner than later developed into fully-fledged projects, and
also get bleeding edge, and get support more and more in among the general
public.

But if you really want Grsecurity on bleeding edge Debian, and it's still, for
my taste, as well as in my experience, more often than not, stable rather then
not, the kind of install that I deploy here, is the way to go.

However, a huge number of Debian users are simply thrown upon them NSA SELinux kernel in their systems, and newbies just can't know to choose.
So my way here is weening them off. I hope this Tips page is useful in that
sense. It is not meant as rival to other ways of introducing the real security,
the Grsecurity/Pax into Debian.

I'm posting this after publishing the packages. They will be at the usual
address:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/
(which will be a symplink to:
http://www.croatiafidelis.hr/gnu/deb/li ... sec140521/ )

Just think (and also you can see times from the timestamps of files in that
directory) the rate at which I upload is around:

50KB/s

That, on top of slow compilation, huge time to upload (I have to thank Iskon
Croatia here, becaue I pay for more, but they don't deliever more, they even
cut my connection all through, a few times)...

That huge time to upload is, as I wrote, and have no desire left to repeat in
its entirety, you can find it in previous post, and in the script, is the
measure of my disgust.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#31 Post by timbgo »

timbgo wrote: ...[snip]...
at the usual address:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/
(which will be a symplink to:
http://www.croatiafidelis.hr/gnu/deb/li ... sec140521/ )
No. the symlink is back to:
http://www.croatiafidelis.hr/gnu/deb/li ... sec140430/
and while I am not competent to talk about source which those guys read as drink water, and I struggle with, I think I am free to make my conjectures as to what happened.
Pls. make your conjections yourself by looking into the changes.
The last one who, IIUC correctly, contributed code to grsecurity before the bad version
grsecurity-3.0-3.14.4-201405141623.patch
was, Linus the Dear Leader in persion...
See for yourself:
https://www.grsecurity.net/changelog-test.txt
Sure, Spender took time to get the right version out, Linus is a genius... and, on top of that, sometimes, with code, I bet there are areas that you don't easily figure out where and what,..

So, if you're compiling, use the latest 3.14.4:
https://www.grsecurity.net/download.php
which is currently:
grsecurity-3.0-3.14.4-201405252047.patch

that is, with my script for beginners, downloaded from github:
https://github.com/miroR/grsec-deb-compile
or from CroatiaFidelis.hr if I suggested otherwise, yet, previously...

timbgo wrote:Just think (and also you can see times from the timestamps of files in that
directory) the rate at which I upload is around:

50KB/s

That, on top of slow compilation, huge time to upload (I have to thank Iskon
Croatia here, becaue I pay for more, but they don't deliever more, they even
cut my connection all through, a few times)...

...[snip]...
But, if you want me to post the new packages, which I compiled, you need to, a few of you at least, kindly aks Iskon Hrvatska (Croatia) to release my upload connection to full speed that I paid to them for, and not the trickle they allow me for.
Try:

help@iskon.hr

or

support@iskon.hr

Should work.

Thanks,
Miroslav Rovis
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#32 Post by timbgo »

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/
now contains 3.14.6 grsec-patched kernel packages

And at any time, with the current Grsec patch, you can use the script-guide
for beginners from:
https://github.com/miroR/grsec-deb-compile
(or if you want to check the script with PGP:
http://www.croatiafidelis.hr/gnu/deb/gr ... compile.sh
and
http://www.croatiafidelis.hr/gnu/deb/gr ... ile.sh.sig
With grsec-deb-compile.sh you also build debugger, which I am no longer posting for download from now, too slow connection, most users don't really need it.

See also:
Tips on Grsecurity installation for Debian newbies
https://forums.grsecurity.net/viewtopic ... 5&start=15

and if you are deciding for yourself on which kernel to use on your Debian, see this:
Tips on Grsecurity installation for Gentoo newbies
https://forums.grsecurity.net/viewtopic.php?f=3&t=3974
where some very crucial and very important information applies to all of the GNU/Linux

Miroslav Rovis
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#33 Post by timbgo »

I should soon be working to post more on Grsecurity Install in Debian.

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#34 Post by timbgo »

As usual, the new packages (just no more debugger for stated reasons, man it's 50K/s that my provider Iskon Croatia is letting me, sorry, choking me, have, the upload speed)...

As usual, the new packages are at:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/

And you don't need to anymore click on each link to download the entire set of packages.

Download, say into a proverbial empty directory, first just the:

http://www.croatiafidelis.hr/gnu/deb/li ... Lo-wget.sh

(dLo is for download, wget is the fine program by Hrvoje Nikšić from Croatia for command line downloads)

Then do:

Code: Select all

$ chmod 755 dLo-wget.sh
$ ./dLo-wget.sh
That will download all the packages for you.

Then do

Code: Select all

$ gpg --verify deb-kern-3.15.5-grsec.sum.sig
which must give you good signature, else do not continue. How to use GnuPG is out of scope here, but you can study the script below and see how to get PGP keys and verity signatures from my script that I mention below.

Thne you need to check the packages are fine with:

Code: Select all

$ sha256sum -c deb-kern-3.15.5-grsec.sum
All packages must be shown OK, else, do not continue.

And then, as root, install them:

Code: Select all

dpkg -i *.deb
Those packages are for people who want to introduce themselves to Grsec.
They are made on an old AMD64 system, and consequently they should work on almost any AMD64 system, which is the benefit.
The diadvantage is that they are probably not optimized well for newer mightier systems.

However, you can most probably compile better packages for yourself with the script that I have not changed in some months now, because it's just some typoes that need changing, all the funcionality is working fine.

That script is in various places, such as:
https://github.com/miroR/grsec-deb-compile
as well as:
http://www.croatiafidelis.hr/gnu/deb/gr ... compile.sh
(which is recommended if you want to verify the script with PGP)

Grsec is the sine qua non of security in GNU/Linux.
Cheers!

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
================================================
P.S.
Important to mentioned for those who try and install things quickly:
This above, is almost all. Just a few things will be missing once you boot (best tio do them before you boot into, but, it's just a minor nuissance rebootin and doing after).
Oh, yes, some of the stuff is necessary to be previous to install, or if install fails, and that is sort some binaries with paxctl (the grub binaries for instance).
I wrote on those previously, it's easy solving those once you're familiar with it, and it's mentioned in the right places in the script I suggest to you above.
Anyway, probably the most of your potential difficulties will be solved if you go through the previous posts in this topic.
And, surely, the documentation for Debian kernel and Grsecurity documentation, is recommended.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#35 Post by timbgo »

As far as your free time and interest (and free mind) allows you, for those following my Grsec/Pax Tip which you're reading now, in the first place, please [*][/color] just those following my Tip, OK, have a look at:

Defeat and Hope for GNU/Linux
http://forums.debian.net/viewtopic.php?f=3&t=116472

I'm writing this ahead of time, as you may, in some time, not be getting any more of my updates as has been so far, but I'm on a quest to build something that I can trust instead.

Namely I don't trust systemD and packages around it at all. And it's the default for Jessie.

As you can see on that page, and I'll just paste over here the lines to further, actually, modify in effect, as my research further clarifies, now:
timbgo wrote:Either Mempo pulls truly off and stands up on its feet, which if it happens, my
joy will be immense, the preferable outcome.

Or someone helps me figure out how to revert form non-systemd in my Jessie, and
keeep on with my Grsecurity Tip, as all these months for almost one year now,
the consolatory outcome.

I'm betting on Mempo, and I think I'll try and become a tester.
No, I'm not betting on it, I'm only hoping, with some doubts how they could possibly succeed.
The developer base in Mempo is still too small, the tasks too big. I will keep my fingers crossed that they make it, and will be immensly happy if they do, but I'm not betting on it...
I tried to contact them via the offered irc chat, only once, true.
And I've been studying their pages, learned a lot from references offered, thanks.
Bat also there are unclarities and also incorrect and arbitrary presentations there.

Such as on Gentoo. No, Mempo people, not true. I'm referring to this:
http://mempo.org/index.html#hover1
Pls have a look at places such as:
Project:Hardened uClibc/Lilblue
https://wiki.gentoo.org/wiki/Project:Ha ... bc/Lilblue
as well as (referred to from Lilblue):
Features (on Ubuntu Wiki)
https://wiki.ubuntu.com/Security/Features

And as far as the "consolatory outcome" goes, if any of bigger boys from Debian are reading this (PLEA: I don't need negative nit picking advice, pls. refrain from such, just put me in your personal ignore list instead), I am looking for a shortcut without too much work on my, pages where the howto live in Jessie without systemD, if such pages exist, or can be found such info in less than a few dozen of pages that don't have that information sparsed in among reams of non-related information.

And then I could keep on with this tutorial on Jessie.

I'm not leaving just yet, I don't think, I'm weighing my options.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

[*][/color] equally, I won't bother anywhere where SELinux', systemD's or other fans congregate, freedom and choice to everybody!
======= cut out all underneath if verifying hashes ========
The file corresponding to this post has publictimstamp # 1236932
--
publictimestamp.org/ptb/PTB-21273 sha256 2014-08-02 12:01:45
C8792654DB0D24F510F4EAA4C2A14B657F2C1B1009B22C71C5F0F50DC939E098
Since I already pts'd the page, correction can now only go here:
Above, where you see it, should instead read:
I am looking for a shortcut without too much work of my own, pages where the howto lives abou Jessie without systemD, if such pages exist, or if such info can be found in less than a few dozen of pages that don't have that information sparsed in among reams of non-related information.

And then I could keep on with this Grsec/Pax Tips page on Jessie.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#36 Post by timbgo »

This is crucial time for my continuing the work, hopefully, or not (which I would not like if that had to happen, and which will certainly not immediately happen, as I wrote a few days ago here) with this Debian GNU/Linux Tips page on Grsecurity.

There is very little opportunity, other then with some determined hard work, for a Debian newbie to gain true understanding of what this is really about, because of the strong and merciless propaganda from the systemd-impositioners side, and if that continues to be so, the losing party will be the freedom itself.

The freedom will be the losing party, in its brightest and most beautiful quality: the privacy.

There is no privacy without security, and the only true security nowadays in GNU/Linux is where the two honest geniuses, Spender and Pax Team, and developers associated with them, work on fixing the holes in the kernel: the Grsecurity.

That is my view, and it is absolutely legitimate for me to say that here. However, if you want more on that, study my other posts, recent and earlier, as I can not indulge in it here, reasons also being too much, and often flaming, opposition from the systemd-supporters' side.

On that flaming and invading opposition though, proofs aplenty in the link that I will give next in this current post. And some of it is of the worst kind. Some of it is downright trolling, on me:

How to avoid stealth installation of systemd?
http://forums.debian.net/viewtopic.php?f=5&t=116770

Some of you, readers and users of my script-guide for beginners that this topic you're reading features, can perfectly understand me if I tell you:

There will be no more room left, not really, for us who want that aforesaid true security if the systemd becomes the sole way to go in Debian GNU/Linux, no there will not really be any more!

If the few dishonest people (remember there's a very very tiny minority who own the majority of world's resources generally, and into those tiny group these few of our concern belong)...

No, I'm not an insider nor an investigative journalist with sources to know about those few, I only reserve the right to deduce it logically from the big picture.

And the big picture, what is the big picture? Read, first, this mail by [IIUC] a Debian Developer:

================================================
https://lists.debian.org/debian-devel/2 ... 00143.html

> Can we get over this now and start making Jessie the most awesome stable
> release we've ever prepared together?

For some of us there will never be an awesome Debian release that at it's core contains systemd. It's core developers, Lennart Poettering and Kay Sievers, work for a company that has multi-billion dollar contracts with NSA. It is your choice to assume good faith on their part. It is our choice not to.

Please respect our decision to stay away from systemd and still be Debian users. If possible, please, don't resist changes that make our lives easier.
================================================

You can also find plenty of discussion on who brought up those changes (and the few I mentioned are the movers and shakers of some of those companies that did bring about those changes) in, so far, probaly the best (public) discussion in the GNU/Linux world to be found on the issue:

When (and if) Gentoo will switch to systemd?
https://forums.gentoo.org/viewtopic-t-981256.html

That's all I base my statement on. That Gentoo Forums discussion. However, is a very hefty read, and I am not sifting through it again just to provide details lto support n my claim. What I said, and referenced, suffices for my argument here. Check it out yourself, anyone, before potentially blaming me for bringing in a lame argument. That argument is not lame, just read that aformentioned voluminous Gentoo Forums discussion to check it.

In light of the above, my next thought. Actually I deployed the above reasoning for it.

My next thing to do regarding yours and mine true freedom, dear reader, which, again, there is none without what every and any in the world democratic country claims is the guarantied right of their citizens: the right to secrecy in their communications, which translates to: privacy (yes privacy is: secrecy when you want it), which there is none, no privacy/secrecy there in computing, without security.

And do you really believe that spy agencies can provide you that security, which Debian has as default: the NSA's SELinux?... And I don't trust any other "security" either.... but only Grsecurity [for my privacy, and so for my freedom]...

But my next thing to do was a Tip in these forums on how to deploy Gradm, for full Grsecurity protection, because the sole installation of Grsecurity is fine, and protects you from most of the attacks, from almost all, but, alsa, not all..

Not all... There is a little left to do to gain full protection, which little cannot be done through patching the GNU/Linux kernel (which Grsecurity is: it is a set of patches to the kernel), and that little which still remains missing when Grsecurity patched kernel is installed in your system, can be done with Gradm:

for which pls. see:
the Download page
https://www.grsecurity.net/download.php

and the:
Grsecurity on Wikibooks page
https://en.wikibooks.org/wiki/Grsecurity

(in both of which find Gradm)

But Gradm is much, much harder to deploy on poetteringware-ruined (IMO) systems, of which poetteringware the systemd is (IMO) the absolutely most detrimental to GNU/Linux as we have known it by now.

Do you get my point, dear reader?

There have been reports and complaints on, I don't remember now exactly, but either systemd or some of its precursors/kindred like the *kits (consolekit, policykit), or somesuch, how Gradm cannot be properly/easily installed/configured on Grsecurity-patched Gentoo kernels, these things being hard or not doesn't depend of which distro we're talking.

What I mean, deploying Gradm and getting true privacy for your box (which your country's Constitution probably guaranties for you) is going to be much harder if we don't get systemd-free option for our Debian machines.

So dear reader, if you understan my points, and I'm sure some of you readers do understand me quite well, then please don't allow trolls to drown my new topic which I deployed to address the issue of getting for ourselves a systemd-free GNU/Linux Debian, the:

How to avoid stealth installation of systemd?
(link given nearer to the top of the post)

Don't allow it to be drowned. Instead, study the issue and try to help. You can help even if you just have honest questions, maybe on the methods to choose, which there are two there, and none contains complete advice in regard either from me or from some advanced user or developer, or with more relevant information, if you have any, if you are an advanced user or developer truly looking into these posts to help.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

==== cut this line and all underneath if verifying hashes ====
File corresponding to this file, Deb_Grsec_140816.txt,
has Publictimestamp # 1238462
--
publictimestamp.org/ptb/PTB-21385 sha256 2014-08-16 12:01:45
4D4AF7DE153174FB93CB56F480EBA406AF53CBC79CB022E8A4FD4FD485DF49C2

CORRIGENDA 2014-08-17 23:34 CEST:
Replace: "from almost all, but, alsa, not all"
With: "from almost all, but, alas, not all"
Last edited by timbgo on 2014-08-17 21:36, edited 1 time in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#37 Post by timbgo »

On:

https://github.com/miroR/grsec-deb-compile/

you can now choose, not the default, which is master, but:

develop (branch)

and you can (you don't have to, you can go the old way, everything will be explained to you what to do) give three arguments to the script, such as:

Code: Select all

./grsec-deb-compile.sh grsecurity-3.0-3.15.10-201408140023 linux-3.15.10 \
    config-3.15.5-grsec140723-17
( the "\" just says it to ignore the newline, you may leave it out)

which is a little bit faster for regular users of the script.

Still lot of room for improvement of this primitive script in that there is nothing really at all here for advanced users, but for beginners there is.

Enjoy!

Miroslav Rovis
Zagreb, Croatia,
http://www.CroatiaFidelis.hr
============================
Ah, and the entire git archive for grsec-deb-compile is now PGP signed with my signature. It was all explained in the Help section by the GitHub.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#38 Post by timbgo »

Also, for those at the very beginning of acquainting themselves with GNU/Linux, I prepared the packages.

Open in a browser:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/

Right click on:

dLo-wget.sh

and in the menu that opens, left-click on "Copy link location".

Make an empty folder, maybe (substitute "ukrainian" with your username):

Code: Select all

$ mkdir ~ukrainian/grsec.d/
$ cd ~ukrainian/grsec.d/
$ wget 
...[snip]...
I'm interrupting it here to explain to you in a more easily understandable fashion.
After you typed "wget " (see the space there?), you now need to right click again.
The menu opens. Now left click on the "Paste" in that menu.

You now have a line like this one:

Code: Select all

$ mkdir ~ukrainian/grsec.d/
$ cd ~ukrainian/grsec.d/
$ wget http://www.croatiafidelis.hr/gnu/deb/linux-deb-3.15.10-grsec140817-00/dLo-wget.sh
$
in your terminal. If so, click Enter. It will download that file.

If not, you went wrong somewhere.

Now you need to do:

Code: Select all

$ chmod a+x dLo-wget.sh
which will make that scriplet executable. And then you need to execute it with:

Code: Select all

$ ./dLo-wget.sh
...
I put "..." there because that command will download all you need to install Grsecurity-patched kernel in your Debian GNU/Linux for you.

Just a minute or so, depending on your connection, and all the files are downloaded.
And it ought to look something like this (if not, proibably you went wrong somewhere):

Code: Select all

$ ls -l
total 39472
-rwxr-xr-x 1 mr mr      681 Aug 17 08:16 dLo-wget.sh
-rw-r--r-- 1 mr mr   966140 Aug 17 08:04 linux-firmware-image-3.15.10-grsec140817-00_3.15.10-grsec140817-00-1_amd64.deb
-rw-r--r-- 1 mr mr  7037090 Aug 17 08:05 linux-headers-3.15.10-grsec140817-00_3.15.10-grsec140817-00-1_amd64.deb
-rw-r--r-- 1 mr mr 31630870 Aug 17 08:08 linux-image-3.15.10-grsec140817-00_3.15.10-grsec140817-00-1_amd64.deb
-rw-r--r-- 1 mr mr   762318 Aug 17 08:08 linux-libc-dev_3.15.10-grsec140817-00-1_amd64.deb
-rw-r--r-- 1 mr mr      535 Aug 17 08:04 SUMS
-rw-r--r-- 1 mr mr      819 Aug 17 08:04 SUMS.sig
$
Now do:

Code: Select all

$ sha256sum -c SUMS
 ... OK
 ... OK
$
There must be no errors!

And also you need to, if you really want to be sure all is fine:

Code: Select all

$ gpg --recv-key 0x4FBAF0AE
which may be set for you, and if it is not, is much wider and harder topic to teach... and they complain that my posts are too long suggesting you don't read them...

And then:

Code: Select all

$ gpg --verify SUMS.sig
gpg: Signature made Sun 17 Aug 2014 08:01:24 AM CEST using RSA key ID 4FBAF0AE
gpg: Good signature from "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"
$
which, if it says good signature, or similarly, then you can proceed to the last step.

The last step is, open a terminal as root and (just replace "ukrainian" with your user name, this is if you created, the name is just an example, grsec.d, as further above explained):

Code: Select all

# cd ~ukrainian/grsec.d/
# dpkg -i *.deb
#
which will install all the packages in your machine.

If you have any issues, some answers may be already in this topic (such as the need to use paxctl on binaries), in the previous posts, and sure enough on:

https://forums.grsecurity.net/

Grsecurity is not all the way easy and simple, no big money behind the curtains here, only pure idealists, not necessarily religeous like me, unless GNU is a religion, which it is I would argue (grin), but it's the only way for you if you know what is, and want:

privacy

for yourself,

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#39 Post by timbgo »

A typical issue with Grsec kernel, and easy solution
=============================================

E.g., I like using jacksum

http://www.jonelo.de/java/jacksum/

I tried taking hashes, such as:

Code: Select all

/some/dir/ $ jacksum -V summary -a sha256 -r -d -f -m ./ > some-name.sum
(You get similar errors in GUIs as well. Don't bother figuring out that command if it look to mysterious to you, it's not, but yout understanding of it is not necessary for solving these errors.)
and I got an error out:

OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x0000687911000000, 2555904, 1) failed; error='Operation not permitted' (errno=1)

and more, but it's really not intrinsic to solving the (usual) problems with hardened kernels.

So I went looking for the binary to apply paxctl treatment to.

Code: Select all

$ which jacksum
/usr/bin/jacksum

Code: Select all

$ file jacksum
/usr/bin/jacksum: POSIX shell script, ASCII text executable
$
OK, so jacksum is a script. You can't paxctl a script, sure. But the script calls a binary in these cases. The script contains this line:

Code: Select all

java -jar "/usr/share/java/jacksum.jar" "$@"
It's the java program itself that needs to be paxctl'ed.

Code: Select all

$ which java
/usr/bin/java
$ 
Now become root.

Truly, if you even tried to run (you don't need to do it):

Code: Select all

# paxctl -v /usr/bin/java
PaX control v0.8
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

file /usr/bin/java does not have a PT_PAX_FLAGS program header, try conversion

Code: Select all

# /usr/bin/java
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00006b6075000000, 2555904, 1) failed; error='Operation not permitted' (errno=1)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /some/dir/hs_err_pid3295.log
# 
And the /some/dir/hs_err_pid3295.log contains all kinds of errors that a programmer (which I'm not, or maybe a tiny fraction of, only) could tell stories about.

And here's for us Joe users what we need to do:

Code: Select all

# paxctl -v /usr/bin/java
PaX control v0.8
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

file /usr/bin/java does not have a PT_PAX_FLAGS program header, try conversion
#
Do this to know what paxctl does, and understand the gist of it as much as you can, it'll help you understand better situation like this one that will arise in the future:

Code: Select all

# paxctl -h
PaX control v0.8
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

usage: paxctl <options> <files>

options:
	-p: disable PAGEEXEC		-P: enable PAGEEXEC
	-e: disable EMUTRAMP		-E: enable EMUTRAMP
	-m: disable MPROTECT		-M: enable MPROTECT
	-r: disable RANDMMAP		-R: enable RANDMMAP
	-x: disable RANDEXEC		-X: enable RANDEXEC
	-s: disable SEGMEXEC		-S: enable SEGMEXEC

	-v: view flags			-z: restore default flags
	-q: suppress error messages	-Q: report flags in short format
	-c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)
	-C: create PT_PAX_FLAGS (see manpage!)
#
There, I pasted it, so that the beginners don't get too daunted, because this will be solved easily.

In this case, we only need to do:

Code: Select all

# paxctl -c /usr/bin/java
file /usr/bin/java had a PT_GNU_STACK program header, converted
#
and:

Code: Select all

# paxctl -m /usr/bin/java
#
[1]

Now, that binary will look much more friendlier for the use with our Grsec-enhanced kernel:

Code: Select all

# paxctl -v /usr/bin/java
PaX control v0.8
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [/usr/bin/java]
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is disabled
#
And, sure enough, the command that showed the reported error above, now ran without a hitch.
( this one:

Code: Select all

$ jacksum -V summary -a sha256 -r -d -f -m ./ > some-name.sum )
It's pretty similar how to solve it with other situations, that, if you follow this my
"Grsecurity/Pax installation on Debian GNU/Linux"
tip, you will encounter, and that is, the Iceweasel on update, and the grub binaries. Again, I'm speaking for my AMD64 arch and my particular setup (which is not at all unusual), just pls. modify for yourself my advice (as well the whole tip) if your arch or your setup is different.

But this is really all I have time for right now.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
[1] In reality those two can be combined in one command:

Code: Select all

paxctl -cm /usr/bin/java
======= cut off from this line to end if verifying hashes =======
File corresponding to this post: Deb_Grsec_140827_jacksum_paxctl.txt,
has Publictimestamp # 1239554
--
publictimestamp.org/ptb/PTB-21471 sha256 2014-08-27 06:01:45
F5051284342C17C4C1C9EA46EE69B88A8A224340CEA5851ED4ED214C89A891A9
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#40 Post by timbgo »

With the new script from develop branch (but changing that soon):
EDIT pls read in the next post how to use it
EDIT END
you can issue the command:

Code: Select all

$ ./grsec-deb-compile.sh grsecurity-3.0-3.16.2-201409060014 linux-3.16.2 config-3.16.2-grsec140908-19
Where the "config-3.16.2-grsec140908-19" will download for you the config file hat I just uploaded. (See previous posts if unclear; although I am striving to make this all as easy to follow as possible, not all can be contained within the last few posts)

That command line will remain useable (copy-paste-and-run-able; just copy without the initial "$") until upstream has those available. Grsec patches are not kept but for a week or so after they are released.

No, I haven't done all the work that I proposed myself to do in this regard, but this is a fine start for anyone wishing to install themselves a Grsecurity/Pax patched kernel in their Debian machines.

I hope to offer for the newest beginners also the packages, in a while.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

Post Reply